Android Tutorial THE BASICS: HACKING (MOD) ANDROID GAMES WITH NET REFLECTOR

Infamous-Ash · December 5, 2016

Requirements:

1) Have the .apk file you want to hack.

2) Have WinRar installed on your PC. ( Download WinRar 32bit | Download WinRar 64bit )

3) Have .NET Reflector. ( Download .NET Reflector 9.0 )

4) Have "Reflexil", a required Plugin to hack files with .NET Reflector. ( Download Reflexil Plugin for .NET Reflector )

5) Have an APK SIGNER. I personally use the one-click signer. ( Download one click apk signer )

Get Ready

Let's prepare our workspace:

1) The first step is to look inside our .apk file, in order to be sure it can be hacked with this method. What we will do is to rename the apk from .apk to .zip;

2) Double click on the .zip file and you should be able to open it with WinRar. If not, make right-click and select "Open With..." and then chose "WinRar";

3) Try to go to the following location: assets/bin/Data/Managed/. If you reached it succesfully, and if you see lots of .dll files inside it then YES, you can hack this game (or you can TRY hacking it) using .NET Reflector!

4) Now, extract the whole "Managed" folder wherever you like (I personally have a folder on my Desktop I exclusively use to hack games, where I put all the softwares I need to hack them).

5) Open ".NET Reflector", move ALL THE .DLL FILES from the "Managed" folder inside it (move them in the LEFT box of Reflector).

6) Press F3, then press Ctrl+M. This will enable the Search box and set it properly for our scopes. Please note this must be done EVERY TIME you open .NET Reflector.

7) Launch Reflector (if you read the "ReadMe.txt" into the Reflexil folder of my download link above, you already know how to launch it. Otherwise, well, click on the Gear icon or go to Tools -> Reflexil and click on it)

Ok, we managed to set up everything properly and we can finally start hacking!

Let's start

So, let's read what I'll write below very carefully, since it's easy to understand if you spend enough time reading, ok?

1) The first step, after you grabbed your .apk file is to open it with WinRar (I personally rename the extension to .zip in order to open it automatically with WinRar, but you can simply do Right Click on the .apk file and select "Open With..." -> WinRar).

2) Browse to the following path, inside the WinRar window: assets/bin/data/Managed/, like the screenshot below:

3) Extract (you can simply drag them) all the .dll files of this archive into your desired folder (or, to be faster, just drag the entire "Managed" folder of the archive out of it.

4) Now, Open NET Reflector, press F3 and Ctrl+M (this must be done every time, to quickly set up NET Reflector for our usage), load the "Reflexil" plugin by clicking on the Gear icon and move all the .dll files inside .NET Reflector's window (at the left, like in the screenshot below):

Now we're ready to search, so input your desired keyword in the Search Box and edit the desired code, like in the Screenshot below. Watch it carefully:

6) To edit the code, you need to right-click on the desired instruction you want to modify and select "Edit". When you're done with edits, click on Update, like in the screenshot below:

7) Now, let's save our code. To do this, in the Left panel of .NET Reflector, scroll up until you find the name of the Assembly you modified, then do Right Click -> Reflexil -> Save, like in the screenshot below:

8) It'll add ".Patched" to the original name the of the .dll file, so you know which one is the modified and which one is the original .dll file. Now, to be sure we modified the right code, let's load again the Assembly into .NET Reflector, to see how it does look now. (this step is optional, but recommended if you're not 100% sure the hack is properly coded:

9) Ok, in my example the codes were right so we can proceed adding the modified .dll file to our original .apk file. So we open the .apk file again with WinRar and replace the original "Assembly-Csharp.dll" (or any other .dll files you modified) with the one containing ".Patched", but of course, you need to rename the file to its original name, or the game will not load. So, in my example, I renamed Assembly-Csharp.Patched.dll to Assembly-Csharp.dll in order to restore its original name.

10) Now it's time to sign it (or you can add toast before singning apk if you want, before signing the .apk file). So we move the modified .apk file in the same folder of the "one_click_signer.cmd" file (or, if you use another apk signer, use your method to sign it), then we open it by double-clicking it and a Command Prompt window will appear.

All we need to do is to type:

"name of the apk file.apk"

and press Enter, like in the screenshot below (don't forget the "" symbols, they are part of the code you need to write!):

11) That's it! Our MOD APK file is ready! You'll find a new .apk file in this folder, starting with "signed-". This is the signed .apk file you can finally share! But first, of course, test the game and ensure it does properly work. If yes, it means you're a good hacker and you can finally upload the .apk file to share it with everyone! If the .apk file is not properly working, or if the codes you made aren't showing, well, don't lose hope! Just try again, modifying some other offsets! Good luck!

FAQs:

If you need help, as always, reply below and I'll be glad to add further details or to give you an helping hand!

Do you have an Int32?

You can return a value this way:

ldc.i4 -> Int32 -> Your_Value (no limits)

ret

or

ldc.i4.s -> SByte -> Your_Value (max 128)

ret

Do you have an Int64?

You can return a value this way:

ldc.i8 -> Int64 -> Your_Value

ret

Do you have a Single?

You can return a value this way:

ldc.r4 -> Single -> Your_Value

ret

Do you have a Double?

You can return a value this way:

ldc.r8 -> Double -> Your_Value

ret

Do you have a "Boolean"?

I'm used to compare "Boolean" with a question. Basically, it "asks" something to the game, and the game will answer with True (yes) or False (no).

For example: get_isVip will "ask" the game if the user is a VIP, and the game will probably answer "No, he's not a VIP!!!", so what can we do here?

We have two ways. The first (easier, but you will not learn much..) is about returning always True (yes), while the second (not alwasy applicable, but it's the "pros" way) is about making the game thing you're a VIP for real.

But first, let's explain how to return "True" or "False" in the game.

True = ldc.i4.1 (or ldc.i4 -> Int32 -> 1)

False = ldc.i4.0 (or ldc.i4 -> Int32 -> 0)

Beware that you must always use ldc.i4 (and not ldc.r4, ldc.i8 and so on..) or the game will crash.

So, the easiest way to always return True (or False) to a Boolean is to replace the whole function with:

[TRUE]

ldc.i4.1

ret

[FALSE]

ldc.i4.0

ret

Now, let's talk about the pros' method. As we said above, it's all about making the game think you're a VIP for real, so the Boolean will naturally return a true value, even if we both know you're not a VIP for real in the game (of course I talk about VIP to make an example, you can replace the word "VIP" with anything. For example, "get_isUnlocked" or simply "IsUnlocked" is a boolean to unlock stuff in the game and so on.. it's up to you to find the right keyword to hack a value).

Sometimes, there are some "checks" to ensure if you're a VIP or not. For example, the game checks you VIP level and, if it's equal to 0 returns a false, while if it's higher than 0, it returns true.

It should look like this (very basic example) in NET Reflector decompilation window:

get_isVip {

if (this.Player.get_vipLevel) > 0

{

return true

}

return false

}

And, in Reflexil (the plugin's window you have at the bottom) you should see something like:

0 ldarg.0

1 ldfld Player.get_vipLevel

2 ldc.i4 0

3 bge (6 -> ldc.i4.1)

4 ldc.i4.0

5 br (7 -> ret)

6 ldc.i4.1

7 ret

Now, it's not that hard to understand what Reflexil says. Let's compare the text with the NET Reflector's decompiled code:

ldarg.0 -> "this."

ldfld -> loads the value, in particular, the one about the Player's vip Level

ldc.i4 0 -> it means 0, referring to the player's vip level

bge (6 -> ldc.i4.1) -> it means "branch if greather than". This means, if the Player's vip Level (ldarg.0 + ldfld) is greather than 0 (ldc.i4 0), the function will jump to the sixth function (ldc.i4.1 which means true)

ldc.i4.0 -> which means false. If the function didn't jump to the ldc.i4.1, the game will return this value (false) so the player will not be a VIP

br (7 -> ret) -> this will jump to the 7th function, which is the "ret". Of course, after returning the false, the function needs to close itself, so it'll jump to the "ret" at the end of it.

ldc.i4.1 -> this means true and it's called by the "bge" we've seen above. This is the only way this value is called so, if the player value is higher than 0, this will be the next value returned = the Player IS a VIP.

ret -> You know better than me that "ret" ends the function. Remember EVERY function in the game must end with "ret" or the game will not work properly.

So, after this long and boring lesson, what's the pros' way to hack this?

The answer is in your brain. If the player vip level is higher than 0, the player will be a VIP so what will we do? Of course, we'll hack the player vip level! How? Simply look for "get_vipLevel" (please note this is just an example, it doesn't apply to any particular games and the keyword could change) and it'll probably be an Int32 so you'll simply replace its whole function to:

ldc.i4 -> Int32 -> 15 (for example, as most games with the VIP interface caps the VIP level at 15, while some other have got 10 as VIP level's cap)

ret

This will not only automatically enable your VIP membership, but it will also give you a VIP level = 15.

Please note, even if we manage to hack the VIP level in particular, some online games will still NOT give you the privileges of the VIP membership, or you will get only some of them. Why? Because sometimes the vip level in online games is managed by the server, so you could be the only one seeing you're a VIP member, while all the other people will see you're NOT a VIP member, because you're not a VIP for the server. So, if this value is server-sided, you may still not be able to get your vip privileges with this hack.

How to multiply a value?

Easy, you have to add the number you want to multiply the value with followed by "mul", before the "ret" or, to be more precise, after the function returns the value you want to hack.

Example:

ldarg.0 (which means "this.")

ldfld Player::get_money

ldc.i4 (or ldc.i8, or ldc.r4, or ldc.r8. Which one? See my above examples) -> Int32 (or Int64, or Single, or Double. Which one? See my above examples) -> Your_Value

mul

ret

Sometimes the function returns different values if different events occur, so it could be necessary to multiply more values.

How to divide/subtract/add a value?

It's the same as before, you just need to use "div" (or "sub" or "add") and not "mul" (div = divide, mul = multiply, sub = subtract, add = add).

What's the difference between multiplying something and simply returning 9999999?

The main difference is that returning 9999999 will give a STATIC value. It will never decrease/increase, while multiplying (or adding) a value will give a DYNAMIC value, so you can run out of money, but you theorically also have a lower ban chance. Don't think about 9999999 only when talking about money. This could be HP or Damage or XP and so on..

(All the Credits goes to Sbenny)